Description
Jenkins eggPlant Plugin 2.2 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
Remediation
References
http://www.openwall.com/lists/oss-security/2019/08/07/1
https://jenkins.io/security/advisory/2019-08-07/#SECURITY-1430
https://www.zerodayinitiative.com/advisories/ZDI-19-834/
Related Vulnerabilities
CVE-2020-36732 Vulnerability in maven package org.webjars.npm:crypto-js
CVE-2019-10335 Vulnerability in maven package org.jenkins-ci.plugins:electricflow
CVE-2020-15256 Vulnerability in maven package org.webjars.npm:object-path
CVE-2022-43401 Vulnerability in maven package org.jenkins-ci.plugins:script-security
CVE-2019-10347 Vulnerability in maven package javagh.jenkins:mashup-portlets-plugin